ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY 0746/09/EN WP 162 Second opinion 4/2009 on the World Anti-Doping Agency (WADA) International Standard for the Protection of Privacy and Personal Information, on related provisions of the WADA Code and on other privacy issues in the context of the fight against doping in sport by WADA and (national) anti-doping organizations Adopted on 6 April 2009 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate D (Fundamental Rights and Citizenship) of the European Commission, Directorate General Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/06. Website: http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

The Working Party on the protection of individuals with regard to the processing of personal data Set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Having regard to Articles 29 and 30 paragraphs 1 (a) and 3 of that Directive, and Article 15, paragraph 3 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, Having regard to Article 255 of the EC Treaty and to Regulation (EC) no. 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, Having regard to its rules of procedure, Has adopted the present document: 1. Introduction and background In its first opinion on this topic 1, the Working Party examined the compatibility of the draft International Standard for the Protection of Privacy and Personal Information (the Privacy Standard or the Standard) with the minimum level of protection required by European data protection regulations. Although it expressed its support for a number of aspects of the Standard, including a reference to Directive 95/46/EC, it did not conclude that it was compatible with the minimum level of protection offered by the directive, and made certain recommendations. The draft standard has since been modified and has been in force since 1 January 2009. The World Anti-Doping Agency (WADA) has provided additional information in response to the Working Party's previous requests for clarification. The Working Party is happy that some of its remarks have been integrated in the Privacy Standard 2. It regrets, however, that its other remarks have not been taken into account (see point 3.2. below). 1 2 Opinion 3/2008 of 1 August 2008 on the World Anti-Doping Code Draft International Standard for the Protection of Privacy (WP 156) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp156_en.pdf The modified definition of "processing", of "sensitive data" (which no longer includes political opinions, religious or philosophical beliefs and trade-union membership, the relevance of which in the fight against doping was questioned by the Working Party (3.2.)) and the clarification provided under 6.2. The Working Party has also observed that article 6 has been rewritten and in addition to consent - consent from now on informed - it now also provides that "Personal information" shall be processed "where expressly permitted by law". It has also noted other modifications in line with its remarks, among others that the comment to article 9.2 has been elaborated, the terms "plainly vexatious" have been deleted under 11.2. with regard to the exercise of the right of access and that Participants' rights to initiate a complaint with an international anti-doping organization are now provided for in article 11.5.. 2

This opinion concerns matters which the Working Party believes continue to be problems in the context of European requirements for privacy and personal data protection, without formally proceeding to any findings regarding adequacy. It notes that the standard explicitly mentions the principle according to which the common minimum set of rules established by the standard applies to ADOs without prejudice to stricter rules or norms they may have to observe pursuant to their national legislation. The 2005 UNESCO International Convention against Doping in Sport, which has been ratified by 25 of the 27 EU Member States, was concluded in order to endorse the work of WADA at international level. The Convention does not alter the rights and obligations of the signatories in relation to other agreements previously concluded (Article 6). It encourages cooperation between States in appropriate circumstances, and always subject to domestic law, namely, Directive 95/46/EC and Member States' laws implementing it. According to EC law, any provisions in an international agreement which are incompatible with EC law are subordinate to EC law. The UNESCO Convention does not make any specific reference either to fundamental rights in general or data protection rights in particular. The Working Party cannot confine its remarks only to the Privacy Standard. As the Privacy Standard contains numerous references to the WADA Code and to the ADAMS database (see 2.2.), it is necessary to examine it in the broader context of its application. That is why after having recalled the main features of the system developed by WADA (point 2), the opinion refers in more detail to the following matters: whereabouts (3.1.), un-integrated remarks from the first opinion (3.2.), grounds for processing (3.3.), the transfer of data to the ADAMS database in Canada and to other countries outside the EU (3.4.), retention periods (3.5.) and sanctions (3.6.). Controllers in the EU, such as national anti-doping organizations (NADOs), ((inter-)national) sports federations and Olympic Committees, can deduce from this opinion some of the legal boundaries that exist for processing athletes (and other data subjects ) personal data. The Working Party emphasizes that controllers in the EU are responsible for processing personal data in compliance with domestic law and must therefore disregard the World Anti-Doping Code and International Standards insofar as they contradict domestic law. The Working Party recommends that these controllers seek legal advice in order to be fully aware of all relevant issues, especially the applicability of national laws. 2. Description of the main features of the WADA anti-doping system 2.1. International context WADA is a Foundation established pursuant to Swiss law to promote and coordinate, at international level, the fight against doping in all forms of sport and, in pursuing this aim, to cooperate with intergovernmental organizations, governments, public authorities and other public and private bodies fighting against doping in sport. It has adopted the WADA Code, of which a number of Standards, including the Privacy Standard, form part 3. The purpose of the Code is to ensure harmonized, coordinated, and effective anti-doping programs at the international and national level with regard to detection, deterrence and prevention of doping. 3 Five standards have been adopted so far: Prohibited List, International Standard for Testing, International Standard for Laboratories, International Standard for Therapeutic Exemptions and International Standard for the Protection of Privacy and Personal Information. 3

The Code has been accepted by the international federations of the sports played in the EU and the NADOs of all EU Member States. 2.2. The Code, the anti-doping controls and the ADAMS Database The WADA Code requires, inter alia, ADOs to select athletes for inclusion in a Registered Testing Pool, and also obtain from them their Whereabouts Information. WADA has developed, and controls, a web-based Anti-Doping Administration and Management System ("ADAMS"), a database, situated in Montreal, Canada. 4 By the means of which it acts as a "clearing house" for doping control related data. ADAMS can be used as a data sharing tool by those ADOs wishing to use it, although information suggests that WADA intends eventually to make the use of ADAMS compulsory. The use is governed by a standard agreement between WADA and ADOs, which allows ADOs to create in ADAMS a profile of the athletes registered in the Registered Testing Pool, and the right to give "the required access" to the profile and "other information" related to an athlete to any ADO which is entitled by the Code to test that athlete. The profile must include the Registered Testing Pool to which the Athlete belongs; name (first name, last name); date of birth; gender; nationality; sport nationality; a list of sports and disciplines the Athlete competes in; a list of all ADOs that can access the Athlete s Doping Control related data and a flag indicating whether the Athlete competes at an international level. The athlete's name, date of birth, gender and sport nationality can be disclosed to other users of ADAMS. According to the agreement, ADOs are obliged to ensure that athletes upload and update in ADAMS their Whereabouts Information, and to give access to this information, also, to any other ADO which, according to the Code, may test the athlete. In addition, Anti-doping authorities are obliged to report in ADAMS all doping control related data and all decisions granting a Therapeutic Use Exemption, and to give WADA access to all therapeutic use exemption contained in ADAMS. (In certain cases, athletes may apply to their respective ADOs for a Therapeutic Use Exemption in relation to the use of otherwise prohibited substances). The data retention period is "at least" 8 years (except for Whereabouts information for which the retention period is 18 months). No maximum retention period appears to have been set. The agreement requires ADOs to acknowledge that an athlete's consent is not necessary in order to create the athlete's profile, but that ADOs understand that consent "may" be required under applicable privacy laws. ADOs are obliged to obtain all necessary consents from athletes, both on WADA's behalf as well as their own, and indemnify WADA against any claims made against it as a result of failing to obtain the necessary consent form an athlete. One article is dedicated to data privacy, and prohibits ADOs from disclosing any data to any person within their organisation other than on a need-to-know basis, and even then only in accordance with the purpose of the WADA Code. They must collect, process and disclose data only for the purpose for which they were collected, inform recipients of such information of the confidential nature of such data and direct recipients to treat such data confidentially, 4 See WADA s website : http://www.wada-ama.org 4

and agree in writing with the recipients to preserve their confidentiality. They may disclose the data to persons named either in the agreement or the Code. For its part, WADA may process data to satisfy the obligations of ADOs under the Code. It may also disclose data, subject to contractual controls and the approval of ADOs, to any other third party service providers it may engage in the administration and maintenance of ADAMS, or as required by applicable law, regulation or governmental authority. ADOs are responsible for implementing reasonable security measures to prevent unauthorised access to data stored in ADAMS. In the event of any corruption, loss, damage or mistransmission of data while in the possession of WADA, WADA must use reasonable efforts to restore or regenerate the lost data, but in no circumstances will it assume any liability for such corruption, loss, damage or mistransmission of data caused by the misuse of ADAMS by an ADO or an athlete. By the agreement the parties acknowledge that they are responsible for compliance with their respective data protection and privacy laws. ADOs must therefore comply with applicable data protection legislation. No specific agreement applicable to national sporting bodies and international federations (as opposed to ADOs) is available; however, it would seem that the material issues are the same. Most international federations are based in Switzerland. The agreement itself is expressed to be governed by Swiss law. For the purposes of this opinion, the issue of data controller/data processor for any particular processing is omitted, although this issue could well be relevant, especially as regards non-eu bodies acting as data controller with the EU. 3. Specific issues 3.1 Whereabouts As already mentioned, according to the WADA Code and the International standard for Testing, athletes who have been identified by their International federation or NADO for inclusion in a Registered testing pool must provide accurate, current location information. This information should be accessible to the ADO through the ADAMS database. These provisions are directly relevant to the data protection rules as set up in the Privacy Standard (see article 2.0.). The provision of such data is justified mainly by the need to conduct effective out-ofcompetition testing programs. However, this requirement must be met by processing only relevant, proportionate personal information in compliance with data protection principles. In this regard, the Council of Europe Antidoping Convention (1989) 5 provides that anti-doping controls should be carried out at appropriate times and by appropriate methods without unreasonably interfering with the private life of a sportsman or sportswoman (Article 7, par. 3(a) and par. 74 of the Explanatory Memorandum). 5 See the website of the Council of Europe (STE n 135). http://conventions.coe.int/treaty/en/treaties/html/135.htm 5

In the light of the above, the information to be provided concerning the whereabouts and the time slots for controls should be clearly determined by taking into account the requirements of the principles of necessity and proportionality with respect to the purposes of out of competition testing, and avoiding the collection of information that might lead to undue interference in athletes private lives or reveal sensitive data on athletes and/or third parties (such as their relatives). The processing of relevant, proportionate personal information should begin by analysing which athletes are at risk of using doping, and in what way. WADA provides ADOs with the tools to make such a risk analysis (International Standard for Testing, paragraph 4.4). The Working Party wants to emphasize that the composition of the Registered testing pool should be based on such a risk analysis. Among others, the type of sport the athlete competes in (for example related to the kind of prohibited substances or methods that can be used in that sport to enhance the performance of the athletes, and related to the culture of not - using prohibited substances or methods), the level at which the athlete competes, personal risk factors of athletes, are all factors in selecting the Registered testing pool. The risk analysis and, especially, the factors stated above, should also be relevant to the extent of whereabouts information to be required from specific athletes. In general, the Working Party is pleased to note that the Code and International Standard for Testing, article 11.3, do not require whereabouts information on a 24/7 basis. This would not only be disproportionate, but would also result in the obligation to provide sensitive data as athletes, just like other individuals, for example go to church, seek medical help and/or visit meetings of political parties; and as a rule, as far as whereabouts are concerned, there is no ground for processing sensitive data on a mandatory basis. The Working Party considers it to be proportionate to require personal data in regards to the specific 60-minute time slot and to require filling in the name and address of each location where the athlete will train, work or conduct any other regular activity (as only related to the athlete s regular routine, see article 11.3 of the International Standard for Testing). The examples given indicate that, apart from the 60-minute time slot and residence, information about four hours a day is considered proportionate. 6 The Working Party therefore expects WADA not to demand that the ADOs collect more whereabouts information than described above. Moreover, requests about any regular activities other than competition and training could be considered disproportionate when made to athletes other than top athletes who are active in national and international competitions. The reason for this is that WADA itself has indicated that [f]or athletes competing at a lower level, the rules are much more relaxed. For such athletes, whereabouts information restricted to competitions and training locations and times arguably might suffice, however it would not be the most efficient manner of testing in WADA s view 7. The question of whether there is a ground for processing personal data is however not one of efficiency but rather one of necessity. 6 7 See for example the comment to article 11.3.1(e) of the International Standard for Testing. See p. 6 of WADA Responses to Working Party 29, 30 January 2009. 6

In addition, WADA should reconsider requesting that the residence on each day of the following quarter (even temporary lodging) should be filled in (article 11.3.1 under d. of the International Standard for Testing) as this would appear to be questionable, considering that in case of no advance notice testing the Doping control officer shall attempt to locate the athlete between the hours of 7:00am and 10:00pm (Article 2.2 of the Guideline for out of competition testing June 2004). In light of the comments above on lower level athletes, this would be relevant particularly for those lower level athletes. Furthermore, the athletes should be made aware of the personal data they are required to provide: the information notice given to the athlete has to specify whether detailed information on the athletes whereabouts is to be provided on an optional or mandatory basis and what consequences arise from the failure to provide such information. 3.2. Some un-integrated remarks from the first Opinion (WP 156) 3.2.1. Terms and definitions used in the Code and in the Standard Participant - person The Working Party considers that the concept of "Participant" - as defined by the Code and the Privacy Standard - is too restrictive to guarantee protection to any person about whom data can be processed within the framework of the implementation of the Code. In this context, please note that the Code, amongst others in various articles dealing with hearings on anti-doping rule violations and on publication of violations, uses the unrestricted term person (for example articles 8 and 14 of the Code). The provision of information provided by article 7 and the rights provided by article 11 of the Privacy Standard are however limited to participants. While the Working Party recognises that only athletes and their support personnel will be required to provide personal data to WADA, it would help to avoid confusion if the use of terms was consistent across the Privacy Standard and the Code. Third party The term third party, used amongst others in article 14.6 of the Code and in 8.3 of the Privacy Standard, is undefined. The Working Party suggests a definition is provided. Personal information Article 3.2 of the Standard defines personal information as Information, including without imitation Sensitive Personal Information, relating to an identified or identifiable Participant. In particular in light of the remarks above, the Working Party advises to widen this definition and speak of individual rather than participant. As to anonymisation of personal data (referred to for example in article 10 of the Standard), the Working Party makes reference to its Opinion 4/2007 on the concept of personal data to understand what is meant by "anonymisation / anonymous data" according to the Directive. The Working Party observes that except for Article 9 (Maintaining the Security of Personal Information) the Privacy Standard does not offer additional guarantees for the protection of health data and judicial data processed within the framework of the anti-doping activities. Third-party agents The Working Party considers that the concept of "third-party agents" used in article 4.1 of the Standard includes subcontractors within the meaning of Article 2 (e) of Directive 95/46/EC. 7

Further comments regarding this concept (see comments on security of processing, relating to article 9.4 of the Standard) are based on this assumption. The scope of this concept should be precisely defined. 3.2.2. Purposes for processing personal data The specific purposes of the data processing carried out under the Code should be defined and specified. The mere reference to data processing by the anti-doping organisations "in the context of their anti-doping activities" (article 4.1 of the Privacy Standard) and the formulation in article 5.1 of the same Standard ( Anti-Doping organizations shall only process personal information where necessary and appropriate to fulfil their responsibilities under the Code and International Standards ) are not sufficient. Article 5.3 refers to a number of purposes for which data can be processed. It is unclear how these differently worded purposes are to be understood, so the Working Party suggests that this point be clarified. Similarly, the purposes for disclosing personal data to other Anti-Doping Organizations mentioned in article 8.1 could be specified. In addition, the Working Party stresses the need to respect the finality principle and the requirement for compatibility of further data processing with the initial purpose for which the data were collected. 3.2.3. Necessity and proportionality of personal data The Privacy Standard does not distinguish between the various categories of persons subject to it (athletes, supporting staff, third party). However, the application of the proportionality principle will depend on the category to which the person belongs. Consequently, the Privacy Standard should be modified in this regard. Article 5.3. of the Standard should specify the personal information or the categories of personal information necessary to achieve the purposes referred to in (a), (b) and (c) by taking into account the requirements of the principles of necessity and proportionality. As previously indicated, the implementation of these principles will vary according to the category of persons whose data will be processed (athlete, supporting staff). 3.2.4. Accuracy of personal data Article 5.4 of the Standard provides that processed personal information must be exact, complete and updated. The last sentence of this paragraph, however, seems to soften this obligation towards ADOs. It even seems to move responsibility from the data controller to the data subject 8. The comment tends to confirm this move. In this respect, the Working Party stresses that according to Article 6 (d) of the Directive, all necessary measures must be taken so that inaccurate or incomplete data with respect to the purposes for which they are collected or later processed are erased or rectified. This responsibility falls to the data controller, if necessary, in response to a request for correction addressed by the data subjects. 8 "( ). Although this does not necessarily require Anti-Doping Organizations to verify the accuracy of all Personal Information they Process, it does require that Anti-Doping organizations correct or amend any Personal Information that they affirmatively know to be incorrect or inaccurate as soon as possible". 8

3.2.5. Information to participants The Working Party points out the requirements of Articles 10 and 11 of Directive 95/46/EC, in particular to provide, in addition to the identity of the data controller, the identity of any of its representatives. Article 7.2 of the Standard provides that when the personal information is not collected from the participant, they are informed "as soon as possible". To satisfy the requirements of the Directive (Article 11 1), this information will have to be communicated at the time of undertaking the recording of the data or, if a disclosure to a third party is envisaged, not later than the time when the data are first disclosed. The Working Party also raises the point that under the comment to Article 7.2, the use of the terms "he or she should (..) have reasonable access to information " weakens the right to information of the data subjects. It recalls that the data subject s right to be informed is essential and forms part of the requirement for transparency of data processing. The comment to Article 7.2 goes on to state that each Anti-Doping Organization should ensure that its processing of personal information is reasonably transparent to participants. The Working Party suggests to delete the word reasonably. The comment provides an exception to the provision of information (which is limited in time). The Working Party understands the background of the exception, but nevertheless wishes to indicate the relevant rules in this regard: Please note that Directive 95/46/EC allows for limitations to the provision of information in exceptional circumstances, where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down in law. These limitations should be interpreted strictly. Finally, the Working Party has read through the 5th edition of the Athlete Guide that is available online on the web site of the World Anti-Doping Agency (WADA) 9. It suggests adding a 7th part on privacy protection and the protection of Athletes' personal data in a later edition. This would only contribute to better informing Athletes. 3.2.6. Rights of participants with respect to personal information The Standard envisages a right of access for the athletes and their supporting staff. Under Article 12 of the Directive, a data subject has the right to obtain from the data controller, as a minimum, information as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom these data are disclosed. These elements are not reflected in the Standard. The Standard provides that in certain cases, the anti-doping organisations are not obliged to answer access requests. The Working Party notes in this respect that the exception formulated in particularly vague terms in article 11.1 of the Standard (unless to do so in a particular case would conflict with the Anti-Doping Organization's ability to fulfil its obligations under the Code) does not, on the face of it, appear to be in conformity with Articles 12 and 15 of the Directive. The Working Party notes the explanation provided by WADA in this regard, that this exception covers personal information collected and used in connection with anti-doping violation procedures and information processed when planning anti-doping tests. It considers 9 The Athlete Guide, 5th edition, available at http://www.wada-ama.org 9

nevertheless that there would not a priori be a reason to withhold access to information on data in connection with anti-doping violation procedures. The exception formulated in article 11.2 (requests that are excessive in terms of their scope or frequency, or impose a disproportionate burden in terms of costs or effort) likewise does not, on the face of it, appear to be in conformity with Articles 12 and 15 of the Directive. In relation to both article 11.1 and 11.2, the Working Party notes that any restriction of the right of access is only allowed if it conforms to the provisions of Article 13 of the Directive, which authorises Member States to adopt legislative measures aiming to restrict the scope of this obligation insofar as this restriction is necessary to safeguard the interests listed under those provisions. The Working Party notes with satisfaction that, in the event of refusal of exercise of the right of access by the participants, the latter will receive the reasons of such refusal in writing. It recalls, nevertheless, that this refusal is permissible only under the conditions of Article 13 of the Directive, which must be interpreted strictly. Regarding Article 11.4., the Working Party stresses that, under Article 12 (c) of the Directive, the data controller must notify the third parties to which the data were communicated of any correction or deletion carried out because of the incomplete or inaccurate nature of the data unless this proves impossible or involves disproportionate efforts. To be compliant with the European data protection regulation, the terms "where appropriate" should be interpreted only within the meaning of these two exceptions. The Working Party also suggests that the Code contain a right of remedy and a right of compensation for the damage suffered by a participant as a result of a processing operation incompatible with the Standard. 3.2.7. Security of processing As for the subcontractors to whom the ADOs might have recourse (third-party agents point 9.4), the Working Party recalls the rules prescribed by Articles 16 and 17 of Directive 95/46/EC, in particular, the obligation of the data controller to choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out. 3.2.8. Control and supervision on the implementation of the Code and the Privacy Standard Article 8.3 of the Standard indicates that an ADO can express its concern to WADA about the possible non-compliance with the Standard by another organisation. WADA has informed the Working Party that compliance is also insured by means of periodic assessments of ADOs and the submission of online questionnaires by ADOs to WADA. The Working Party wonders how WADA has until now filled in this task of supervising compliance. Supervision of the implementation of the privacy principles following from the Code and the Standard, including applying appropriate sanctions, are crucial to ensure the effectiveness of the Code and the Standard. 10

3.3. Grounds for processing The Working Party regrets that the remarks it made about validity of the participant's consent were not taken into account. The Working Party maintains that such consent does not comply with the requirements of article 2 (h) of Directive 95/46/EC, which defines consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." The sanctions and consequences attached to a possible refusal by participants to subject themselves to the obligations of the Code (for example providing whereabouts filings) prevent the Working Party from considering that the consent would be, in any way, given freely 10. In addition, Directive 95/46/EC forbids the processing of sensitive data, such as data concerning health, and data revealing racial and ethnic origin, unless a valid ground can be found in article 8 of the Directive. Article 6.2 of the Privacy Standard suggests processing of sensitive data could take place on the basis of consent. In principle, article 8, paragraph 2, a) of the Directive provides that consent is a ground for processing. However, the remarks made on consent above also apply in this context. Furthermore, the Working Party recalls that the Directive does not allow for the processing of data relating to infringements on the basis of the consent of the data subject (article 8, paragraph 5 of Directive 95/46/EC). In conclusion, the data processing cannot be based on consent as defined in article 7(a) and article 8, paragraph 2(a) of Directive 95/46/EC. It could possibly be based on article 7 (c) and article 8 (4) of the Directive, if applicable law authorises anti-doping organisations to proceed with such processing operations. If article 8 (4) is relied upon, the Working Party recalls that the national legislation or the decision of the supervisory authority must be subject to the provision of suitable safeguards as to the privacy and data protection and based on a substantial national public interest. According to article 8 (4) a substantial public interest of a third party would therefore not qualify. Without prejudice to the remarks made about consent, the Working Party notes with satisfaction that the current version of the Standard provides that anti-doping organisations shall only process personal information if they have been explicitly authorised to do so by applicable law. The Working Party is of the opinion that article 7 (e) of Directive 95/46/EC might provide a legal basis for processing, to the extent that ADOs have public status, including a clearly defined national public mission authorising them under national law to process the necessary data to fulfil this mission observing the prescriptions of the Directive as transposed into national law. However, the Working Party holds that it would be very difficult for anti-doping organisations to invoke their legitimate interest alone (article 7 (f) of the Directive). This provision would demand that ADOs do a privacy test, whereby the interests of the controller on the one hand are weighed against the fundamental rights and interests of the data 10 For example article 6.3.a of the Standard which requires that "Anti-Doping Organizations shall inform Participants of the negative consequences that could arise for their refusal to participate in doping controls, including Testing and of the refusal to consent to the Processing of Personal Information as required for this purpose." The comment to this provision adds that participants must be informed that their refusal could prevent their continued involvement in organised sport and, for athletes, constitute a violation of the Code and invalidate competition results, among other things. 11

subject on the other hand. The gravity of privacy intrusions as a result of the fight against doping as it was conceived and has been implemented by the WADA, should weigh heavily in this context. The Working Party furthermore recalls that only data that are necessary for a given purpose can be processed, and that no other less intrusive means to reach the same purpose should be available. Furthermore, as explained above, for the processing of sensitive data these grounds would not suffice. In particular, as to the processing of medical data, for example for Therapeutic Use Exemptions, the only possible ground is national legislation that meets the requirements of article 8 (4) of Directive 95/46/EC. As to the processing of information on sanctions, the processing of data relating to offences may be carried out only under the control of official authority, or if suitable safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards (article 8 (5) of the Directive). Therefore, unless national law or the Data Protection Authority of the Member State the processor is operating in provides a ground for processing data about offences for this purpose, anti-doping organizations in Member States are not allowed to process data on offences, neither by publishing them on the internet nor by processing them in other registrations. 3.4. The transfer of data to the ADAMS Database in Canada and to other countries outside the EU The question of whether or not personal data may be freely transmitted from the EU to the ADAMS database in Canada without additional safeguards depends on the adequacy of the level of protection of personal data in Canada. In this regard, there is no Commission decision about Canada generally. There is only a Commission decision on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), 11 which applies only to private sector organizations that collect, use or disclose personal information in the course of commercial activities. According to the Privacy Standard, private information regarding athletes and associated persons " shall be maintained by WADA, which is supervised by Canadian privacy authorities. These privacy authorities are not specified. The ADAMS agreement describes WADA as a non-profit organization, which thus falls outside the scope of PIPEDA. No other available information suggests that personal data transferred from the EU are transferred to any organization other than WADA, whatever service contracts it may have with third parties. In her letter dated 10 November 2008 to the Article 29 Working Party, the Canadian Privacy Commissioner informs that, according to her analysis, the PIPEDA adequacy decision does not apply to WADA, given that its everyday activities are not of a commercial nature. 11 Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (2002/2/EC). 12

However, she does say that PIPEDA does apply to CGI, a commercial enterprise which WADA is said to have entered into an agreement for the maintenance of ADAMS. The details of this agreement are not known, so it is not possible to comment on whether or not data subjects' rights have been affected by such an agreement. Based on the information received from the Canadian Privacy Commissioner, which the Working Party considers to be the competent authority in this context, it cannot be said with certainty that PIPEDA applies either to WADA or ADAMS. The mere fact that PIPEDA does not apply to WADA and ADAMS does not automatically mean that the jurisdiction in which they are located does not ensure an adequate level of protection. At the same time, it does not necessarily mean that it does, either. So far, the use of ADAMS is not mandatory. However, based on the Code, ADOs falling under EU law are obliged to share personal data with other relevant bodies, inside and outside the EU. The Code thus obliges the transfer of personal data from the EU. For example, information concerning adverse analytical findings should be communicated to the International Federation and WADA 12, and an athlete s whereabouts information should be available to all ADOs having jurisdiction to test an athlete 13. These could be for example International Federations, the International Olympic Committee, or national ADOs of a third country 14. Where the third country to which a transfer takes place does not ensure an adequate level of protection, the transfer from the EU must be based on the derogations specified in article 26 (1) of the Directive, or be accompanied by the additional guarantees specified in article 26 (2) of the Directive. Inasmuch as the WP12 15 adequacy standards mandate adequate provision for protection of onward transfers, such safeguards should likewise ensure the adequate protection of personal data in the event of onward transfers. Article 26 (2) safeguards must be authorized by Member States and notified to the Commission. For guidance on the interpretation of the exemptions provided in article 26 (1) of the Directive, the Working Party refers to its Working Document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995 (WP114), and chapter 5 of its Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP12). In particular, the Working Party would like to point out that the derogations to the adequacy rule of article 26 (1) of the Directive for the most part concern cases where risks to data subjects are relatively small, or where other interests override the data subject s right to privacy and other fundamental rights. Therefore, they should be interpreted restrictively so that the exception does not become the rule. For the reasons already mentioned by the Working Party in its first Opinion (WP 156) and repeated in the present one, consent as a ground for all transfers of athletes data will not comply with the requirements of article 2 (h) of Directive 95/46/EC. Although the Athlete's Information Notice annexed to the agreement governing the use of ADAMS satisfies many of the requirements as to information to be given by a data controller to a data subject, it 12 13 14 15 See article 14.1.2 of the Code. See article 14.3 of the Code. See also article 5.1 of the Code. Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, 24 July 1998. 13

contains provisions which cause some concern. Thus, athletes are informed that their personal data may be made available to persons or parties located outside the athlete's place of residence, and that in some countries data protection laws may not be equivalent to local national laws; that they may have certain rights under applicable laws, and that concerns about processing can be addressed to any of the Testing Authority, WADA, the relevant sporting federation or ADO. Most significantly, the athlete is informed that he understands that he may revoke his consent at any time, but in that event WADA and ADOs may still consider it necessary to continue processing; that the athlete's participation in organized sporting events depends on his adherence to the Code, which includes a duty to participate on a voluntary basis in anti-doping procedures, and that withdrawal of consent will be construed as a refusal to participate in such procedures, as a result of which the athlete could face disciplinary and other sanctions. Article 26 (1), (b) provides that personal data may be transferred to a third country if the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures in response to the data subject s request. In case there is, for example, a (labour) contract between an athlete competing at international level and an ADO dealing with training and competition, this could provide a basis for the transfer of the personal data that are necessary to compete and train internationally, including whereabouts information, to specific involved parties in third countries. However, the exemption should be interpreted restrictively. No more personal data should be exchanged than strictly necessary for the purposes of the contract, and no other than the directly involved parties should receive those data. The necessity test requires a close and substantial connection between the data subject and the purposes of the contract. For these reasons, in the given example, transmission to WADA as a clearing house and the use of ADAMS for the transmission of data to other parties, though facilitating the transmission of data, would not be considered a necessity to fulfill the contract between the athlete and the ADO. Neither would the use of ADAMS by an ADO falling under EU law for processing whereabouts information in its own jurisdiction fall under this exemption. It would be very difficult to apply the derogation of article 26(1), (d) for the transfer of data on important public interest ground. A simple public interest justification would not suffice; it must be a question of an important public interest. This important public interest should be identified as such by the national legislation applicable to data controllers established in the EU. In addition, the Working Party recommends that transfers of personal data that could be qualified as mass, repeated or structural should not be based on the derogations. It is also stressed that each transfer, concerning each athlete and for each purpose, would need a justification under article 26 (1) if this provision were to be used, which would be very complex to assure. In conclusion, ADOs are required to ensure an appropriate legal framework for all international transfers of personal data taking place under the aegis of the World Anti Doping Code. Particularly in light of the implications for the right to privacy of data subjects, the structural character of international data transfers, and the limitations to the use of the derogations of article 26 (1) of the Directive, ADOs should preferably, make use of additional safeguards such as contractual clauses, as provided by Article 26(2), in which case the authorization of the Member State will be necessary. 14

3.5. Retention periods The Working Party welcomes the inclusion in the Standard of a provision relating to the duration of retention of data and of the obligation to erase those data when they are no longer needed, having regard to the purposes for which they were processed (article 10). WADA has indicated to the Article 29 Working Party that whereabouts information is retained in ADAMS for up to 18 months. Article 2.4 of the Code states that any combination of three missed tests and/or filing failures within an eighteen-month period as determined by Anti-Doping Organizations with jurisdiction over the Athlete shall constitute an anti-doping rule violation. Most other information, such as test plans, test results, therapeutic use exemptions and their underlying documentation, records of doping violation procedures and so forth are retained for a minimum of eight years. The justification for the eight year period is because eight years has been established by article 17 of the Code as the period after which no action may be commenced against an athlete or other person for an anti-doping rule violation asserted to have occurred (statute of limitations period). This is considered appropriate as it would span at least two Olympic Games. It is also considered to be justified by the fact that this is the period during which a new offence will count as a second offence by the Court of Arbitration for Sport. WADA also indicates that it is possible that some ADOs retain data for longer 16. The Working Party questions the relevance and necessity of these retention periods. As to the whereabouts information, the Working Party does not consider that there is a valid reason to retain this information after the date relating to particular whereabouts information has passed. As a matter of fact, article 14.3 of the Code itself provides the following rule for the retention of whereabouts information: This information shall be used exclusively for purposes of planning, coordinating or conducting testing; and shall be destroyed after it is no longer relevant for these purposes. Whereabouts information could only be retained longer if the anti-doping organization considers there is an alleged whereabouts filing failure and/or missed test. In such case, a retention of 18 months is justified, as three alleged whereabouts failures amount to an alleged anti-doping rule violation. Once, however, it is determined that there has not been an anti-doping rule violation, the whereabouts information should be deleted. The Working Party therefore urges WADA to change its policy on the retention of whereabouts information in light of the above. The Working Party considers that the retention of information on convictions for a maximum of eight years could be necessary in light of the fact that a new offence would count as a second offence by the Court of Arbitration for Sport. However, it would not be necessary to retain all data for the purpose of commencing future actions. For example, the Working Party considers there could be a reason to retain samples, as new techniques developed later could be able to detect substances that were untraceable at the time of collection of the sample. There does not seem to be a justification for retaining up to eight years the documentation underlying therapeutic use exemptions, test planning, antidoping cases resulting in an acquittal for the athlete, etc.. 16 See p. 8 of WADA Responses to Working Party 29, 30 January 2009. 15

The Working Party would call upon WADA to reconsider its statute of limitations period of eight years for all anti-doping rule violations. The anti-doping rule violations range from use by an athlete of a prohibited substance, to possession of prohibited substances and prohibited methods (see article 2 of the Code). Would WADA consider it to be justified to be able to start proceedings against a person eight years after an alleged violation has occurred, regardless of the type of anti-doping violation? The Working Party suggests that WADA consider a more proportionate approach, depending amongst others on the types of violations. The Working Party therefore invites WADA to determine, taking into account the experience gained in that field, more reasonable maximum retention periods for the various categories of personal data. It also advises WADA to ensure that the ADOs are obliged to adhere to these retention times. 3.6. Sanctions Article 14.2.2. of the Code provides that no later than twenty [20] days after it has been determined in a hearing in accordance with Article 8 of the Code that an anti-doping rule violation has occurred, or such hearing has been waived, or the assertion of an anti-doping rule violation has not been timely challenged, the ADO responsible for results management must publicly report the disposition of the anti-doping matter, including the name of the athlete or other person committing the violation, the sport, the anti-doping rule violated, the prohibited substance or prohibited method involved and the consequences imposed. Similarly, appeal decisions concerning anti-doping rule violations must be publicly reported. Article 14.2.4. further specifies that publication shall be accomplished at a minimum by placing the required information on the ADOs web site and leaving the information for at least one [1] year. In the information exchange with the Article 29 Working Party, WADA has indicated several reasons for processing these data on the internet. Firstly, WADA insists that this information is vital for the sport community: It prevents athletes who are suspended from taking on another role within organized sport (such as coach, technical advisor or official) or participate as an athlete in another sport while banned by the Code from doing so. Secondly, WADA uses publication on the Internet for its deterrent effect: On the one hand, it functions as a sanction: WADA explains that [a]thletes who commit doping offences are aware that they will be exposed if they get caught. On the other hand, WADA explains that other athletes should be made aware that no athlete, not even top athletes, can cheat with impunity 17. WADA also explains that only final decisions in which an athlete is found guilty of a doping offence are published. This last statement seems contradictory to the content of the abovementioned article 14.2.2. Such publication of personal data, and, which is more, of data about offences possibly not [yet] confirmed in an appeal procedure - constitutes interference with the right to respect of privacy and to personal data protection. For such interference to be valid, it has to be necessary in order to attain a specific legitimate purpose, which implies, among others, that there has to be a reasonable link of proportionality between the consequences of the measure for the person involved and this legitimate purpose, and that there are no other, less intrusive 17 See p. 9 of WADA Responses to Working Party 29, 30 January 2009. 16